Global Permissions determine the actions which a user is allowed to perform in Confluence at a site level. To assign global permissions to a user or group you need Confluence Administrator or greater permissions.

Note: The first system administrator is defined during initial setup. During the initial configuration of Confluence, the Setup Wizard asks for the username of the System Administrator. This user will have the 'System Administrator' permission and will be a member of the 'confluence-administrators' group.

Overview of the global permissions

The following global permissions can be applied to groups and individuals.

Global Permission

Description

Can Use

This is the most basic permission that allows users to access the site.

Users with this permission count towards the number of users allowed by your license.

Attach Files to User Profile

This allows the user to upload files to be stored in their user profile.

This feature was made obsolete by the introduction of personal spaces in Confluence 2.2. Hence, this permission is no longer relevant. Attachments can be accessed from a user profile view (for example, an image within the 'About Me' field of a profile view) by attaching these files to a page within that user's personal space and referencing them using appropriate wiki markup code.

Update User Status

This allows the user to update their user status message, which can be seen on the user's profile, pages in their personal space and on various activity streams accessible to other Confluence users.

Personal Space

This permission allows the user to create a personal space.

Create Space(s)

This permission allows users to create new spaces within your Confluence site. When a space is created, the creator automatically has the 'Admin' permission for that space and can perform space-wide administrative functions.

Confluence Administrator

This permission allows users to access the 'Administration Console' that controls site-wide administrative functions. Users with this permission can perform most, but not all, of the Confluence administrative functions. See the comparison of 'System Administrator' and 'Confluence Administrator' below.

System Administrator

This permission allows users to access the 'Administration Console' that controls site-wide administrative functions. Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow. See the comparison of 'System Administrator' and 'Confluence Administrator' below. Refer also to the note about the 'confluence-administrators' group below.

Comparing the System Administrator permission with the Confluence Administrator permission

Confluence recognises two levels of administrator:

System Administrator – Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow.

Confluence Administrator – Users with this permission can perform most, but not all, of the Confluence administrative functions.

The two-tier administration is useful when you want to delegate some administrator privileges to project managers or team leaders. You can give 'Confluence Administrator' permission to users who should be able to perform most administrative functions, but should not be able to perform functions that can compromise the security of the Confluence system.

The following functions are granted to the 'System Administrator' permission but excluded from the 'Confluence Administrator' permission:

Administration Screen

Excluded from Confluence Administrator permission

General Configuration

The following functionality is disallowed:

Server Base URL

Public Signup

Connection Timeouts

Further Configuration

The following functionality is disallowed:

Remote API plugin

Security Configuration

The following functionality is disallowed:

External user management

Append wildcards to user and group searches

Anti XSS Mode

Enable Custom Stylesheets for Spaces

Show system information on the 500 page

Maximum RSS Items

XSRF Protection

Plugins

The following functionality is disallowed:

Upgrade

Install

Confluence Upgrade Check

Daily Backup Admin

This function is disallowed entirely.

Mail Servers

This function is disallowed entirely.

User Macros

This function is disallowed entirely.

Attachment Storage

This function is disallowed entirely.

Layouts

This function is disallowed entirely.

Custom HTML

This function is disallowed entirely.

Backup & Restore

This function is disallowed entirely.

Logging and Profiling

This function is disallowed entirely.

Cluster Configuration

This function is disallowed entirely.

Scheduled Jobs

This function is disallowed entirely.

Application Links

People with the 'Confluence Administrator' permission can add, modify and remove application links and project links. For example, they can link Confluence to JIRA. However, Confluence administrators can configure only OAuth authentication for application links.

Office Connector configuration

This function is disallowed entirely.

Comparing the confluence-administrators group with the administrator permissions

The 'confluence-administrators' group defines a set of 'super-users' who can access the Confluence administration console and perform site-wide administration. Members of this group can also see the content of all pages and spaces in the Confluence instance, regardless of space permissions. They cannot immediately see the pages that exclude them via page restrictions without knowing the direct URL to the page. They can remove the page restrictions via the Space Administration screen if need be. For example, they will not see restricted pages displayed by the children macro. But they are able to access restricted pages directly using the page URL.

The settings on the 'Global Permissions' screen do not affect the powers allowed to members of the 'confluence-administrators' group .

Granting the 'System Administrator' or 'Confluence Administrator' permission to a user will not automatically grant the user access to all spaces in the site. These permissions will only give access to the administration console.

Be aware, however, that users with 'System Administrator' can add themselves to the 'confluence-administrators' group and become a super-user.

The Confluence Administrator permission and the 'confluence-administrators' group are not related. Going by the names, you would think the 'confluence-administrators' group and the 'Confluence Administrator' permission are related – but they are not. Granting a user or a group 'Confluence Administrator' permission is not the same as granting them membership of the 'confluence-administrators' group. Granting the 'Confluence Administrator' permission enables access to only a subset of the administrative functions. Granting membership to the 'confluence-administrators' group gives complete access.

Updating global permissions

To view the global permissions for a group or user:

Choose the cog icon, then choose General Configuration under Confluence Administration

Error messages you may see

Confluence will let you know if there is a problem with some permissions. In rare situations, you may see the following error messages below a permission:

'User/Group not found' - This message may appear if your LDAP repository is unavailable, or if the user/group has been deleted after the permission was created.

'Case incorrect. Correct case is: xxxxxx' - This message may appear if the upper/lower case in the permission does not match the case of the username or group name. If you see a number of occurrences of this message, you should consider running the routine supplied to fix the problem.

59 Comments

Anonymous

Did you mean where are the permissions information being stored in the database? If that is the case, give a try to look into the SPACEPERMISSIONS table. It provides information of both the Global and Spaces level permission.
For example:

Anonymous

Under the Space Administration there is an activity section that you can use to track activity at a daily/weekly/monthly level. There is also a comparable function called "Global Activity" under the global administration. Alternatively, you could probably capture the XML from RSS feeds if you wanted something you could save off somewhere.

Confluence Administrators are able to access the global permissions page and change the permissions set, excluding permissions set for "confluence-administrators" group. The Confluence Administrators cannot assign themselves the "System Administrator" permission

Trusted applications - definitely not accessible by Confluence Administrators since it can compromise security of the system

Group management - the same restriction applies for answer #1 - Confluence Administrators can modify any groups, except for groups that has "System Administrator" permission.

Currently when new spaces are created by the Site Admin the confluence-users group is added into Space Permissions automatically. In this case the confluence-users group has default settings for the various permission attributes. My question is whether there is a way to modify the default permissions of the group confluence-users. Specifically, users are allowed to add attachments, but are not allowed to delete per the default settings. We'd like to change this default to also allow attachment deletion without having to go into space permissions and manually reset this for each new space. (our version is 2.8.2)

Please add your comments to the discussion, vote on it and add yourself as a watcher for future updates. Also, please bear in mind the following document on how we schedule features for inclusion in our products: Implementation of New Features and Improvements.

Yes it is possible to change the Space Admin. Just follow the steps documented here in order to assign space-admin permission to another user. You can only remove a particular space admin after assigning the space permission to another user. Otherwise you will get the error message "You are not allowed to remove all the Administration Permissions for this space." Hope that helps.

Anonymous

Hi,

I want to do the following. Have a group of users that can change all aspects of the sytem except for managing groups and permissions. Is it possible to do this? By default Confluence seems to restrict Confluence Administrators from doing things like defining custom HTML etc. Thanks.

Anonymous

There is a perimssion to control who can update status messages, but is it possible to restrict who can view status messages? We allow public users access to certain restrict spaces on our confluence instance, but don't want them to be able to see all of our company's internal comms through status messages...

We have the same need, that is to disable view of status messages to people who are either anonymous or only members of confluence-users group, so that people who are part of a specific group can only see the status messages for people in their group or network.

As far as I know, this feature is not currently available in Confluence. However, I have found a similar feature request. Please add yourself as a watcher, vote for this feature and add your own comments to this feature request. For further details on how we include new features and improvements, you might want to read this page

Anonymous

"Members of this group can also see all pages and spaces in the Confluence instance except pages for which they are excluded by page restrictions (restrictions can be removed by members of the confluence-administrators group in the Space Admin screen if need be)."

How can you grant global VIEW and EDIT permissions to System Administrator or Confluence Administrator EVEN if there are user restrictions on the content? We need this capability in order to perform our content governance... Thanks!

How can you grant global VIEW and EDIT permissions to System Administrator or Confluence Administrator EVEN if there are user restrictions on the content? We need this capability in order to perform our content governance..

Anonymous

Hi,

Our BI admin had accidentally deleted the user in Cognos portal Security - System Administrator group. Now, all users including BI admin not able to view the IBM Cognos Administration in the portal. Anyway to reset the permission or gain back a user to have System Administrator rights?

As far as I know, there's no way to delete either the System Administrator or the group confluence-administrators if there's only one user who has the permission in Confluence. Therefore, I believe there's still at least one System Administrator who can help you out in this matter.

Please add your comments to the discussion, vote on it and add yourself as a watcher for future updates. Also, please bear in mind the following document on how we schedule features for inclusion in our products: Implementation of New Features and Improvements.

I have a mere suggestion, you might want to hide the option for the Add Page option using CSS style syntax.
I have created an example shown below, hopefully, you will have some idea on this:

We are trying to create a Wiki Gardener role, who will have access to edit and view all content in the wiki, regardless of the space permissions set by the Space Admins. We don't want this role however to have access to the admin console. Is there any way to achieve this in Confluence?

I have added all enterprise domain users to a wiki security group in AD then added that group to the global permissions "can use". I thought this would work for all users who had not yet been added to the "confluence user" so that all domain users could access Confluence. However, this did not work, they seem to still need to be added to "confluence-users" to be able to access Confluence.

We have NTLM which prohibits the "auto join" feature when a new users tries to access Confluence. Is there a config file in which I can alter to add our AD group "wkAll" to to avoid continually having to add new domain users to the "confluence-user" group one by one?

Anonymous

Hi

I have a couple "Group not found" errors on groups in my Global Permissions but I am unable to remove them from the list. What do I have to do to be able to remove them?

Yes they have been removed from the LDAP directory. The only solution I can come up with is to re-add them to LDAP remove them from confluence and then re-remove them from LDAP. Seems a little stupid to me.

I have the same issue with users whose accounts have been removed from our LDAP - is there a way for me to force these permissions to be deleted? At the moment, if a new account happens to be created with the same name as an old one that has disappeared they'll "inherit" the old permissions, and that's not what we'd want to happen.

Am I right that I can't add users from my-LDAP-Directory to the group confluence-administrators. So no account in my directory can gain "real" super user rights? Giving these individuals "SuperAdmin rights" are less rights than the confluence-administrators have...

So how is the best workaround for my team of administrators to gain these rights without sharing one admin-account or creating extra local accounts?

I dont want confluence admins or system admins to access a space if they dont actively add themselves to the correct group. It says above:

"Granting the 'System Administrator' or 'Confluence Administrator' permission to a user will not automatically grant the user access to all spaces in the site. These permissions will only give access to the administration console."

I have removed the confluence-user view permissions on the space admin page but I can still see it.

It also says:

"Super user – A 'super user' belongs to theconfluence-administrators group, has full administrative access to Confluence, and can see all the content."

and

"Confluence Administrator – A person with 'Confluence Administrator' permission has access to most of the Confluence administrative functions."

What do you I need to do to hide the space from myself? (Im logged in and belong to the confluence-administrator group that is system user)

I did not install the system. Is it possible to se who is "Super user" and can see all the content?

Anonymous

Is it possible to grant read-only access to our Spaces? I added a new user with the permissions of "Can use", but all it does is let them log into the wiki, and doesn't show any of the existing spaces that are part of the wiki. I want him to be able to see the Spaces, just not edit them.

Anonymous

Hello,

We have the "Top Users" macro on our dashboard (based on page creates and edits) and it says our top user is "Anonymous", even though under Global Permissions, Anonymous access to Confluence is disabled. Is this a bug? We really would like to make sure Anonymous users are not getting access to our site.

As far as I know the groups in Confluence can be set to not being able to login anymore (only the admins are still allowed to login). So I removed the global permission "can use" from the groups, but then the whole group with all permissions was deleted. I had to add each group again and manually give them their individual permissions again.

Is there a way to remove "can use", but the group itself stays there with all other permissions set?